OpenBSD 5.7 Changelog

This selection is intended to include all important and all user-visible changes. For a complete record of all changes, please see the "source-changes" mailing list, called "OpenBSD CVS" in the archives, or use CVS.

Note: Problems for which patches exist are marked in red.

For changes in other releases, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6,
3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1, 5.2, 5.3,
5.4, 5.5, 5.6, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 7.0, 7.1,
7.2, 7.3, 7.4, 7.5, current.

Changes made between OpenBSD 5.6 and 5.7

Update unbound(8) to 1.5.0.
In mandoc(1), make .Ao and .Aq renders as "<>" after .An, and as "\(la\(ra" elsewhere, just like groff.
Fixed for mandoc(1) db for NAME_FIRST before its first use, NAME_FILE duplication and correct NAME_FILE mask for .so links.
Delete KERN_VNODE sysctl(3).
Add support for exporting relayd(8) statistics via AgentX/snmpd(8).
Add support for AgentX subagents in snmpd(8).
Fix ssl memory leak with pkey in client key exchange.
Bugfix for grdc(6) to run for the specified amount of seconds, not for a fixed amount of iterations. Makes a difference on slow terminals.
Make mandoc(1) let escape sequences terminate high-level macro names, and when doing so, they are ignored.
Make binutils recognize sahf/lahf for amd64 code, backported from 2.17.
For newer re(4) chipsets, add support for stopping the operation within re_stop().
Let mandoc(1) support the ".if v" conditional operater for groff compatibility.
Sync ssh(1) AES code to the one shipped with OpenSSL/LibreSSL.
Make binutils recognize dcbzl for PPC code, backported from 2.17.
Disable the page zeroing thread on MP mips64 kernels.
Added support for sigwinch resizing in grdc(6).
Make mandoc(1) ignore invalid directories in man.conf and MANPATH, but complain about invalid directories given on the command line.
Avoid iteration over end of string in patch(1).
On ppc platforms, make pmap_zero_page MP-safe by using the directmap.
Enable GOST cipher in libcrypto.
For cas(4), use pa_device to ensure each MAC address of a multi port board is unique.
When running mandoc(1) in man(1) mode, set match order to file name over .Dt name over first .Nm entries over other NAME .Nm enties over SYNOPSIS .Nm entries. Re-run "makewhatis" to effectuate this change.
Fix NULL pointer dereference in ssh(1) key loading.
Activate support in pkg-config(1) for "package != version" requests.
Imported perl 5.20.1.
Add Cammelia cipher to libcrypto.
Make /var/tmp a symbolic link to /tmp. Move /tmp to the same 7-day expiration that /var/tmp had.
Added new function to libc, crypt_newhash(3).
Add quirks for "Realtek ALC885" found on MacMini3.1, unmutes the internal speaker, line input and hp output.
Reduce dhclient(8) risk by putting config file reading after forking the privilege separated child process but before getting hardware link.
Sync kernel AES code to the one shipped with OpenSSL/LibreSSL.
Make usbdevs(8) show super speed status in verbose output mode.
In ssh(1), fix KRL generation when multiple CAs are in use.
Make mandoc(1) correctly handle whitespace-only lines in regard to vbl and vis variables.
Two fixes to make Qemu and VMWare xhci(4) implementations work, always unmask the slow context for the Set Address command and use the right spl when wubmitting a transfer.
Allow cas(4) to retrieve the MAC address from the rom for NS Saturn based boards.
Reworked the sigwait() handling to fix ptrace() in some circumstances.
Add cas(4) devices to i386 and amd64 GENERIC kernels.
Change librthread to not restart syscalls on SIGTHR.
Fix in librthread to allow check for cancellation when a handled (but not waited for) signal occurs.
Use newly imported siphash algorithm for in_pcb hashing.
In dhclient(8), make -q and -d mutually exclusive.
Removed 'tcl' command from vi(1).
On ifconfig(8), move trunk(4) code outside #ifdef SMALL to allow trunk operation on RAMDISK kernels.
Implement atomic_* ops for the arm platform.
In mandoc(1), remove harmful byte swapping on big endian architectures.
Fix reversed logic when selecting log level in npppd(8).
Fixed use after free in npppd(8) when pool addresses change.
Add -b to splitw in tmux(1) like in joinw.
In the performance adjustment code, take a few more ticks before throttling down to handle situation where it is cpu intense but intermittenly idle.
In tmux(1), don't let force-width or force-height be less tha PANE_MINIMUM.
Store autoinstaller logfile in /mnt/var/log to be available after reboot.
Updated time zone data to tzdata2014j.
Do not hold the kernel lock when calling hardclock() and statclock().
When exploring the usb buses, do not probe the ports which status hasn't changed. Saves a lot of I/O when attaching/detaching devices.
Tweaked DHCPACK to DHCPINFORM log entries to more informative.
Speedup in mandoc(1) in man(1) mode without -a, stop searching after the first manual tree that contained at least one match.
Stop athn(4) from attaching to AR9300 devices due to unresolveed bugs.
For httpd(8), allow the log directory be configurable in the config file, rather than having it fixed as /logs in the chroot.
In xhci(4), do not reset the base address of the control endpoints ring when the second Set Address command is issued.
Make pf(4) ask for ICMPv6 checksum recalculation in pf_route6 since the addresses may have been tweaked.
bgpd(8) now outputs 32bit AS numbers in ASPLAIN format by default instead of AS_DOT+.
Socket closing fixes in the client rpc(3) code.
Implemented -h in mandoc(1) for preformatted (cat) pages.
Fix for ix(4) SFP+ module detection when booting without the modules plugged in.
Added support for USB 1.x devices below external hubs on xhci(4).
Make sure httpd(8) does't try to open log files when using syslog.
Changed the xhci(4) attach logic to set the address of a device. Fixes issues seen on root hubs with some Low/Full speed devices.
Plug an rtentry leak in route code.
Fix pf(4) state linking used to implement transparent relays for connectionless protocols.
Added GOST crypto algorithms to libcrypto. Not enabled yet.
Make tmux(1) expand formats in copy-pipe command.
When a usb(4) pipe is closed, only clear the memory of the corresponding endpoint context. Fixes a panic.
Stopped tmux(1) extending the line to full width on insert/delete character (leaves extra spaces when reflowing); only mark a line wrapped when the cursor actually goes off the end (not on newlines).
If resuming from sleep (zzz/ZZZ) and the lid is still closed, go back to sleep. Prevents accidental lid flex from waking the machine up.
Libtool moved to the comp set.
Enabled xhci(4) on i386 and amd64, for USB 3.0 support.
Fixed problems with iked(8) EAP state transition. Allows Win7 to establish the a tunnel again.
Fixed a race (and panic) in xhci(4) when submitting a command by using the appropriate spl(9) protection.
Removed the SSLv2 option from relayd(8); made "no sslv3" work as intended.
Added bcd(6) -l option to create "modern" 80 column cards.
Made malloc(9) calculate correct size before doing the free checks, to fix recent panics.
Enabled TLS extensions in ssl(8).
Fixed mac address selection with unnumbered carpdevs when using carp(4).
When tmux(1) copy mode is used for output, wrap the text.
Removed old curses support from vi(1).
Added V for tmux(1) "select line" with vi(1) keys.
In smtpd(8), stopped prepending the user ID in the local enqueuing "Received" line.
Implemented workaround for em(4) i218 watchdog timeouts that are triggered by heavy traffic.
Fixed sd(4) cards with rev C BeagleBone Blacks.
Added rgephy(4) for the RTL8211E phy in the LeMaker Banana Pi and Banana Pro.
Added atphy(4) to armv7, for the Atheros AR8031 phys in the AM335x starter kit.
Introduced SipHash (https://131002.net/siphash/), useful when adding protection against hash bucket flooding attacks.
Allow the five man(7) font macros to concatenate their line arguments. Removes bogus <br/> when font macros are used in -Thtml "no-fill" mode.
Stopped dhclient(8) leaking static leases when the "lease {}" parsing fails or when a static lease supersedes an earlier one.
Fixed kernel stack overflow in carp(4) by preventing carp_send_ad_all() from re-entrant calls.
Stopped changing the gateway of local route(4) for p2p interfaces. Prevents a panic.
Updated to xterm(1) version 312.
Use the correct default MaxPacketSize for Full Speed usb(4) devices and make them work with xhci(4).
In passwd(1), removed support for all password cyphers except blowfish(3).
Removed ephemeral RSA key handling from ssl(8).
Add support for automatic DH ephemeral keys in ssl(8), so DH keys can be generated based on the server key length; use automatic DH ephemeral parameters instead of fixed 512 bit.
Removed ssl(8) support for ephemeral/temporary RSA private keys.
Renamed libressl to libtls, to avoid confusion.
Major bugsquashing with respect to -offset and -width in mdoc(7).
Do not enable interrupts before attaching usb(4). Fixes panic when an Express Card has usb(4) devices.
Support utf-8 and iso-8859-1 input by integrating preconv(1) utility into mandoc(1).
In mandoc(1) -Tascii mode, only print "<?>" for unicode escapes of unknown representation (not for character escapes with unknown names).
Tightened mandoc(1) unicode escape name parsing.
Fixed pipex(4) to return multicast packets to the caller so that npppd(8) can handle them.
Fixed pipex(4) to initialise DF bit in IP header for L2TP message, so packets larger than minimum MTU aren't dropped.
5.4, 5.5, 5.6 and -current SECURITY FIX: Fixed incorrect expansion of netmask for dynamic interfaces by pfctl(8). Stops potential elevation of access permissions for IPv6 traffic..
Removed execute permission from most pages in the kernel pmap(9) on powerpc.
Stopped supporting wsmoused(8) and X(7) in parallel. Code is racy and known to break mice upon resume.
Fixed regression in term.c r1.89: repaired handling of zero-width spaces (\&) in mandoc(1) utf-8 output.
Allow the current lease to expire without causing dhclient(8) to seg fault when it tries to get a new one.
Fixed possible infinite recursion in perl(1) Data::Dumper (CVE-2014-4330).
Improved mandoc(1) -Tascii output for unicode escape sequences: for the first 512 code points, provide ASCII approximations; provide approximations for some sequences above codepoint 512 via mandoc_char(7) character table.
When using the local enqueuer and the internal SMTP session fails, made smtpd(8) copy the original message to ~/dead.letter so it's not lost.
On hppa, fixed "read section header string table failed(0)" errors when attempting to boot lif.fs.
Fixed smtpd(8) so newaliases and makemap can parse multi-line aliases entries.
Stopped mandoc(1) attempting to parse empty equations. Fixes a null pointer dereference.
In mandoc(1), report arguments to .EQ if they have caused an error.
Don't attempt to suspend/resume a partially attached drm(4) driver. Fixes crash upon resume with ATI FireMV 2400 card.
Stopped the page zeroing thread launching on m88k multiprocessor systems. Avoids a deadlock between reaper and zerothread.
Added pane_input_off format to tmux(1).
Retired networks(5) support from amd(8) and getent(1).
Extended features in autoinstall(8).
No longer limit physmem to 2GB on hppa.
Removed networks(5) support from netstat(1).
Avoid an ssl(8) null pointer dereference that could be triggered by SSL3_RT_HANDSHAKE replays.
Allow reliable IPv6 communication between carp(4) master and backup across a shared IPv6 subnet.
URL-decode the httpd(8) request path.
Only redraw the tmux(1) pane when it has actually changed.
Reworked httpd(8) error messages: do not send details of 40x errors, to avoid possibility of javascript injection attacks.
Made tftp(1) cope with sending or receiving files beyond 65536 blocks in length.
Fixed du(1) regression, always report the size of files listed.
5.6 SECURITY FIX: disabled SSLv3 by default.
A source code patch is available for 5.6.
In getent(1), error out when hosts enumeration is requested.
Made mandoc(1) correctly parse spacing around in-line equations.
Removed the "interface" option from relayd(8) "transparent forward" directive.
Fixed memory leak in ssl(8) d2i_SSL_SESSION.
Backported fix for binutils bug 11867: ".quad" directive not assembled correctly.
Use sha512 instead of md5 for tcp(4) initial sequence number.
In ssl(8) s_client, no longer call shutdown on a non-existent socket descriptor.
In the random number generator, use sha512 to hash the entropy (instead of md5).
5.4, 5.5 and 5.6 RELIABILITY FIX: Stopped assuming elf(5) ep_taddr and ep_daddr are page-aligned, to fix a panic.
A source code patch is available for 5.4, 5.5 and 5.6.
Update to xf86-video-mga 1.6.3
Update to xf86-video-savage 2.3.7.
More gracefully handle firmware loading errors in ulpt(4). Avoids potential kernel crash.
5.4 and 5.5 RELIABILITY FIX: Fixed two remotely triggerable memory leaks in ssl(8).
A source code patch is available for 5.4 and 5.5.
Better POSIX compliance for realpath(3).
Made sure the pmap(9) direct map isn't executable on amd64. Mitigates some ret2dir attacks.
Correctly encode half line feed in the output stream for col(1) -f.
Added the -d flag (limit display depth) to du(1).
Made the mg(1) kill-paragraph and forward-paragraph commands stop once they can go no further.
Fixed resume from hibernate on AMD processors.
Fixed col(1) segfault triggered by an input line containing two consecutive backspace characters beyond column MAX_SHRT.
Implemented in-line equations in mandoc(1), needed by Xenocara manuals.
Allow empty headers in smtpd(8).
Disabled SSLv3 by default in ssl(8), relayd(8) and smtpd(8).
Stopped smtpd(8) relaying a header that will be rewritten by the destination MX.
Prevented sessions from sending a huge number of continuations to a single header and starving smtpd(8).
Made rcctl(8) properly access all rc.d(8) scripts and ignore anything irrelevant in /etc/rc.d.
Fixed memory leak in smtpd(8) error path.
Even if a table has zero columns, do not segfault in the mandoc(1) formatter.
Stricter syntax checking of unicode character names by mandoc(1); properly scale string length measurements for postscript and pdf output.
Improved error handling in the eqn(7) parser; do not parse quoted strings for tokens. Fixes glFrustum(3).
Fixed bug in mg(1) backward-paragraph when pressing "M-{".
Stopped iked(8) segfaulting when connecting from Strongswan on Android
Major upgrade to eqn(7) terminal output.
Removed possibility of multiplicative integer overflow in relayd(8) and snmpd(8).
Moved CPU throttling into the kernel, enabled with sysctl(8) hw.setperf=-1.
Added rcctl(8) "default" command.
Allow pkg_sign(1) signing to proceed when interrupted.
In rcctl(8), prevented "-e" in daemon_flags being fed as an argument to the built-in echo.
Partial eqn(7) rewrite, to fix operator precedence.
Let rcs(1) handle -l and -u combinations.
Parse and render "from" and "to" clauses in eqn(7), and render matrices.
More readable eqn(7) -Ttree output; initial bits of MathML rendering for eqn(7) -Thtml.
Properly initialise secondary CPUs on 64 bit macppc machines.
Allow kernel to be built without ddb(4).
Added ddb(4) support for DWARF line number decoding, so "trace" includes file and line numbers.
No more modstat(8), modload(8) or lkm(4).
Tweaked ssh_config(5) reparsing with host canonicalisation; added -G option to ssh(1); don't ignore ssh_config(5) "Port" options (bz#2267 and bz#2286).
Made sndiod(8) check parameters returned by audio drivers, and report driver bugs rather than crashing.
Made workq/taskq runner threads yield when they've hogged the CPU.
Now that the cleaner yields the CPU, stopped vfs(9) checking to see if we are hogging the CPU.
Restricted smtpd(8) address lookups to configured address families.
Fixed hardware lockup on intel(4) with i845g.
In vi(1), bumped max columns to 768 to accommodate bigger screens.
Removed support for AOE (ata over ethernet).
Fixed DDOS in head(1) by using the correct exit code on failure.
Removed gzsig(1).
Switched mandoc(1) HTML output to polyglot HTML5; have only one single -Thtml mode.
If a tbl(7) layout contains unknown font modifiers, don't fail table, fallback to default font.
Removed sdio(8).
Made amd64 pmap(9) more efficient on multi-processor machines.
When chmod(1) is called, do not silently ignore syntax errors in options, instead error out properly.
When ssl(8) is verifying an IP address is in a certificate common Name, do not perform wildcard matching.
If ssl(8) has to match against a wildcard in a cert, verify that it contains at least a domain label.
Amended previous commit in ftp(1) fetch.c to un break ELS cert validation when using a proxy.
Check object allocation for success before using it in ssl(8) v3_cpols.c.
In ssl(8), fixed memory leaks in the error path of v2i_AUTHORITY_KEYID() and set_dist_point_name().
Switched syslogd(8) from using poll(2) to libevent.
Updated xterm(1) to version 311.
Stopped xhci(4) Intel Series 7 controllers reporting illegal context state transition when detaching devices.
In ftp(1), only pass the remote host name (not any ":portnumber" suffix) to ressl_connect_socket().
Forced smtpd(8) to strip any empty BCC header in the DATA part of the SMTP transaction.
Cleaned up the reporting socket code in syslogd(8).
Introduced a thread for zeroing uvm(9) pages without holding the kernel lock, to reduce latency.
In syslog_r(3), strip trailing newlines from syslog messages, to avoid empty lines when printing.
Allow ssl(8) to disable hostname and certificate verification separately.
Enabled automatic handling of ephemeral EC keys by ssl(8).
Allowed many code paths in myx(4) to run without the kernel lock.
Now that pool(9) are mpsafe, made the mbuf(9) allocators on top of pools mpsafe too.
Fixed a crash when there is text after a failed %Z conversion in strptime(3).
When no domain is specified in MAIL FROM or RCPT TO, smtpd(8) now assumes local user.
Fixed httpd(8) endless event loop that could eat all CPU time.
Added local subnet route (RFC 3442) support to dhclient(8).
Enlarged columns for 4-byte ASN display with bgpctl(8) "show summary" output.
Fixed route(4) so arp(8) will no longer report an incomplete entry for lo0.
Made tmux(1) take account of window-status-separator when checking window position.
Update status when a tmux(1) pane is selected with a mouse.
Always call waitpid(2) on SIGCHLD when client_attached is set in tmux(1). Avoids potential zombie.
Fixed some incorrect format specifiers in a debug printf(9) in apm(8).
Fixed loopback related breakage introduced by the conversion of in_ouraddr() to use the route(4) table.
Map out-of-range facility values to LOG_USER to avoid array over-read in syslogd(8).
No longer define default_bits in openssl.cnf. Allows the compiled-in default to take priority.
Switched openssl(1) "req" command to using SHA256 (hashes) and AES256 (on-disk keys) by default.
5.6 RELIABILITY FIX: Fixed some run(4) devices working in 5.5 but not in 5.6-release.
More optimisations of luna frame buffer. Makes 4bpp wscons(4) putchar ~8% faster on luna88k.
Unhooked sliplogin(8), sl(4), slstats(8) and slattach(8).
Check speed of a new device does not exceed parent's speed prior to calling usbd_new_device().
5.4, 5.5 and 5.6 SECURITY FIX: Stopped nginx (in base) reusing cached ssl(8) sessions in unrelated contexts (CVE-2014-3616).
A source code patch is available for 5.4, 5.5 and 5.6.
Added support for "physical devices" to mfii(4).
In ssl(8), cleaned up EC cipher handling in ssl3_choose_cipher().
Prevented dmesg(8) spam from some windows-only keys (found on very new thinkpads).
Do not use the global list of IPv4 addresses in icmp_reflect(), use the route(4) table.
Increased text segment size on arm to 32MB.
When setting env(1) in an at(1) atrun script, use the "export foo=bar" form. Allows shell to catch variable names that are not valid shell identifiers.
Fixed r1.12 of ssl(8) x509_att.c which had a NULL pointer dereference in the error path.
Added option that allows any enabled ssl(8) protocols to be explicitly configured.
Use raster operation (ROP) function on luna frame buffer. 4bpp wscons(4) putchar now ~20% faster.
vds(4/sparc64) now supports block devices.
Reversion fixed in smtpd(8), which had broken table_passwd.
In ssl(8) check_cert(), reset ctx->current_crl to NULL before freeing it.
In ssl(8) X509_NAME_get_text_by_OBJ(), made sure we do not pass a negative size to memcpy(3).
In wdc(4) when doing ioctl(2), fixed leak by ensuring scsi(4) xfer free is done before ata xfer free.
Properly serialise closing vnode on sparc64. Fixes occasional panic during reboot or when restarting ldomd(8).
Updated to: xtrans 1.3.5; libXext 1.3.3, libXi 1.7.4, inputproto 2.3.1 and xrandr 1.4.3.
Provided a ressl config function that explicitly clears keys.
New API function SSL_CTX_use_certificate_chain(). Allows reading PEM-encoded certificate chain from memory instead of a file.
Remove a limitation that ignored IPv6 link-local addresses (eg fe80::2%carp0) on carp(4).
Reverted r1.142 of netstart.
In ssl(8) X509v3_add_ext() error path, do not free memory that was not allocated.
In ssl(8) X509_TRUST_add(), check X509_TRUST_get0() return value before dereferencing it; fixed memory leak.
In pool_destroy(9), enter and leave mutex(9) as necessary to satisfy assertions.
Updated to: xf86-video-vmware 13.0.2, fontsproto 2.1.3, libXfont 1.5.0 and xserver 1.16.1.
Disabled WRITE events when closing file descriptor of the I/O bufferevent. Fixes potential event flood in httpd(8).
In ssl(8), check that the specified curve is one of the client preferences.
In ssl(8) X509_STORE_get1_certs() and X509_STORE_get1_crls(), check the result of allocations.
Fixed memory leaks in ssl(8) X509_issuer_and_serial_hash() and X509_STORE_new().
Use correct format specifiers in various loongson machine dependent code.
Push sdhc(4) ricoh controllers into "old slow mode" at resume time.
Reverted part of r1.98 if_run.c which caused a regression on older run(4) devices.
Reworked piglet and pig memory allocation for more robust hibernation.
Now that sysctl(8) mp setperf is fixed, activated aggressive apmd(8) throttling again.
Fixed the calculation of the number of items to prime the pool(9) with in pool_setlowat(9).
Restored r1.249 of sys/dev/acpi/acpi.c. Upon resume, CPU now runs at speed requested by apm(8).
Support using pane id as part of session or window specifier and window id as part of session in tmux(1).
Support ! for last pane in tmux(1).
Fixed the build when DRMDEBUG is defined.
Enabled MSI support in msk(4).
Release the acpi(4) lock when calling wsdisplay_suspend() and wsdisplay_resume(). For better resume.
Fixed high capacity (> 2GB) eMMC support in sdmmc(4).
Hide unused, duplicate and/or misleading fields from audioctl(1).
In ssl(8), check the result from final_finish_mac() against finish_mac_length in ssl3_send_finished().
In ssl(8), don't record a match with the "finish MAC" if "SSL finished" has a zero-byte payload.
Implemented atomic_{cas,swap}_{uint,ulong,ptr} and atomic_{add,sub}_{int,long}_nv on hppa.
On macppc, enabled power saving modes for IBM PowerPC 970 CPUs.
Reworked pool(9) code to make it mpsafe (can be called without the kernel biglock being held).
Made packages(7) rsync-friendly. Reduces bandwidth usage by mirrors.
Fixed an invalid escape sequence in cu(1).
Allow agp(4) to map a single page without sleeping. Fixes intel(4) drm(4) panic on i386.
Added CHACHA20 to ssl(8) as a cipher symmetric encryption alias.
Moved rc.conf(8) from the etc to the base set (any local changes will be overwritten at next upgrade).
5.5 and 5.6 SECURITY FIX: ssl(8) session reuse vulnerability (CVE-2014-3616).
Introduce config_suspend_all(9), to invoke config_suspend(9) in appropriate order. Fixes problems with unflushed disk caches on machines where mpath(4) takes control of some of your disks.
Stopped sd(4) spinning back up while attempting to spin down some drives.
Increased number of blowfish(3) rounds to 8 by default (when not specified in login.conf(5)).
Updated to xkeyboard-config(7) version 2.12.
Changed screen terminfo(5) entry to have kbs=\177. Fixes problems with "le" editor.
If there are more than 8 CPUs, top(1) now defaults to combined CPU stats.
Disabled taking the mutex(9) to read pool(9) stats. Eliminates code paths that try to mtx_enter(9) twice.
Unlinked sendmail from the build.
Support ppb(4) bridges subtractive decoding. Fixes issues with pcmcia(4) behind a ATI SB400 PCI bridge.
Marked the mpi(4) and mpii(4) interrupt handlers mpsafe.
In httpd(8) and relayd(8), made the HTTP version mandatory and abort if it is missing in the request.
Made dd(1) error out when negative values are given for sizes on the command line.
In man.cgi(8), support backslash-escaping of white space in the query expression, similar to apropos(1).
Made the new isp(4) drivers match at a higher priority than old drivers.
In sysmerge(8) PKG mode, cope with non-default PREFIX (e.g. /var/www/...).
Provided a sparc64 version of sqrtl(3) for quad-precision floating point.
Remove cached 802.11 nodes in IEEE80211_STA_CACHE state. Stops them showing with ifconfig(8) scan.
On i386/amd64, stopped attempts to synchronise P-state transitions between CPUs. Fixes hangs and suspend/resume when running apmd(8/amd64).
Inspired by mdoclint(1), made mandoc(1) warn about botched .Xr ordering and punctuation below SEE ALSO; warn about commas in function arguments.
Implemented membar(9) API for i386.
Install files that moved from etc to base during "make build" to unbreak updating from src.
Let httpd(8) handle variations of the "Host" header (eg www.example.com:80, [2001:db8::1], [2001:db8::1]:80).
If a manpath directory does not exist, mandoc(1) will now silently skip it.
Fixed scans with various iwn(4) devices.
If pkg_add(1) not running as root, dismiss user id and groups, replace with root/bin. For FAKE_AS_ROOT=No.
Made the cleaner, syncer, pagedaemon and aiodone daemons all yield() if CPU is marked SHOULDYIELD.
Marked the mfi(4) interrupt handler mpsafe; give up biglock in the scsi(4) cmd submission paths.
Fixed interrupt storm on 2009 Mac minis with WOL enabled on nfe(4) interfaces.
Stopped uvm(9) sleeping on allocation of hash table entries. Fixes crashes with tmpfs.
Stopped pflog(4) counting bad packets multiple times.
Added window_last_flag and window_zoomed_flag to tmux(1).
5.6 and -current RELIABILITY FIX: Prevent addition of redundant IPv6 autoconf (SLAAC) addresses.
Fix a syslogd(8) regression when specifying all 20 additional log paths.
Implemented membar API for amd64.
Deleted procfs (always suffered from race conditions and is now unused).
5.4 RELIABILITY FIX: Added a one second receive timeout. Avoids stall of receive queue in vio(4).
5.4 and 5.5 RELIABILITY FIX: Removed race condition. Stops occasional network hangs in in vio(4).
Updated to mesa version 10.2.7.
Removed SSL_kDHr, SSL_kDHd and SSL_aDH from ssl(8). No supported ciphersuites use them.
Use shell substitution instead of dirname in sysmerge(8); fixed installing pkg @sample when target directory is missing; fixed output when a file fails to install.
5.6 RELIABILITY FIX: Stopped incorrect RX ring computation, which led to panics under load with bge(4), em(4) and ix(4).
A source code patch is available for 5.6.
Let roff(7) accept .ll in the prologue; parse and ignore the .pl (page length) request.
Upgraded inodesc.id_entryno in fsck_ffs(8) to u_int64_t, to handle larger file sizes with FFS2; fixed check for allocated fragments marked free in the bitmap.
Fixed FastCGI-based WebDAV and CalDAV (calendar) servers with httpd(8).
httpd(8) server name specification changed to name+address+port. Allows using same server name for multiple servers with different addresses.
Removed /etc/{hosts,myname} from etc.tgz; made the installer create the /etc/hosts template.
In perl(1), updated libnet to version 1.27.
Reworked how pool(9) with large pages (>PAGE_SIZE) are implemented.
Added *.gz support to apropos(1) -a, man(1), and mandoc(1).
In ssh(1), tightened permissions on pty(4) when the "tty" group does not exist.
Be coherent in the way arp(8) and ndp(8) display local entries, use "l" flag to distinguish them; skip broadcast entries (are not real arp(4) entries).
Make sure broadcast entries won't be freed by the arp(4) timer so we can use them for address lookups.
Treat broadcast entries like local ones and give them the highest route(4) priority.
Sync amd64 and i386 GENERIC.MP with other arches by enabling MP_LOCKDEBUG option.
If crypt(3) fails, smtpd(8) will now return an authentication error.
Implemented traditional -h option for man(1): show the SYNOPSIS only.
Initial httpd(8) support for persistent FastCGI connections via chunked Transfer-Encoding.
Added Jumbo support for BCM5714/5780/5717/5719/5720/57765/57766 bge(4) chipsets.
Fixed makewhatis(8) bug so apropos(1) and man(1) can find Xenocara manuals via .so links.
In man(1) mode, change to the right directory before starting the parser. Finds more Xenocara manuals.
Wake up any waiting clients with the tmux(1) "wait-for" command when the server exits.
smtpd(8) queue_api.c code will now close the file descriptor if fdopen(3) fails.
Prevented a null dereference of the urtw(4) configuration descriptor.
Improved option usage output for ssl(8); converted ssl(8) ecparam to new option/usage handling.
Applied fix from upstream perl(1) to harden the close() function (RT 37700).
Replaced the "least recently used" bufcache in vfs_cache(9) with one based on 2Q, for scan resistance.
On amd64, added implementations of atomic_{inc,dec,add,sub}_{int,long}(9) and atomic_{add,sub}_{int,long}_nv(9).
Correctly made accept4(2) a cancellation point as per pthread_testcancel(3).
Backported @file support from binutils-2.17.
Added uuid(3) support routines to libc.
Made sysmerge(8) completely silent by default when no file is modified.
In sysmerge(8) pkg mode, warn if the directory we want to copy an @sample into doesn't exist or is not an @sample.
In sparc64 ld.so(1), made the handling of PLT entries above the 32k mark thread-safe.
When a service is not available, made rcctl(8) return ENOENT.
Introduced a man(1) -l option as an alias for mandoc(1) -a.
Converted the openssl(1) "version" command to new option/usage handling.
On lii(4), set the MRU to a full size frame instead of basing it on the MTU.
Let the MRU always be what the oce(4) chip can do, not what the MTU implies.
Fixed 2 macppc panics.
Allow new devices to get an address for xhci(4) when XHCI_DEBUG is defined.
Fixed checking sync for old synaptics touchpad (ver 5.9) in pckbc(4).
Allow multiple relayd(8) instances to be configured to forward traffic to the same host.
Major sysmerge(8) cleanup now that both etc and xetc sets are part of base (-S -s and -x options gone).
Moved the xetc set into xbase (like etc was moved into base).
Added openssl(8) option handling for input/output formats, ordered flags, and for argument processing.
Added mdoc(7) support for .St -susv1 and .St -susv4.
Made diff(1) -uw produce valid output even when one file doesn't end with a newline.
Implemented table-driven ssl(8) option parsing. Allows an application to specify valid options and where to store them.
Ported openssl(1) rand application to the new option parsing and usage.
Nuked sysctl(8) net.inet6.icmp6.rediraccept and allow redirects on interfaces with autoconf enabled.
In newsyslog.conf(5), added httpd(8) default log files to the rotation.
Added ssl(8) API function ressl_config_set_ecdhcurve to set or disable a non-standard ECDH curve.
Added support for Curve25519 to iked(8).
Write all data before closing the httpd(8) server socket if the output buffer is not empty.
Added missing capability to handle new $2b version of blowfish(3) password encryption for usermod(8) and friends.
Added an implementation of man(1) into the /usr/bin/mandoc binary; unify command line options for mandoc(1), man(1), apropos(1), and whatis(1).
Create etc set during "make build", now embedded it in base set.
Removed nginx from the base system in favour of OpenBSD's homegrown httpd(8).
Moved openssl(1) from /usr/sbin/openssl to /usr/bin/openssl.
Unlinked xfs(1) from the build.
Added the ability to restrict syslogd(8) to an ip(4) or ip6(4) protocol family.
Added iked(8) support for DH groups 27-30 using the Brainpool curves as in ssl(8).
httpd(8) now supports both mime.types flavours (nginx- or apache-style).
Added generic system-wide /usr/share/misc/mime.types file, usable by httpd.conf(5).
Moved sending of router solicitations to the kernel. Makes rtsol(8) and rtsold(8) unnecessary.
Don't allow pasting into input-disabled tmux(1) panes.
Implemented _NET_WM_STATE_STICKY in cwm(1). Allows client to "stick" to all desktops or groups.
When using a proxy, made ftp(1) validate the cert hostname against the target hostname, not the proxy hostname.
Delete secret or secret-derived data in many base utilities with explicit_bzero(3).
Implementation of bold italic font support for postscript and pdf output in mandoc(1).
Start all rcctl(8) error messages with "rcctl: " so it is clear where they come from.
In debug mode, only print the flags relevant to the rc.d(8) we are calling instead of all flags; make it clear when we are using the default flags when none are set.
Make it possible for rcctl(8) to pass '-d' and '-f' to the rc.d(8) script.
Removed non-standard GOST cipher suites (which are not compiled in currently) from ssl(8).
pfctl(8) now makes sure rules have been defined when you specify queues in a rule.
Switched ndp(8) to display MAC addresses in 00:00:00:00:00:00 format.
Get arp(8) to print leading zeros in MAC addresses again.
Disabled use of bind in base (base uses nsd(8)/unbound(8) instead).
Ensure cwm(1) client that wants to be in nogroup stays in nogroup (thus stays in view), even when (re)reading NET_WM_DESKTOP.
Made syslogd(8) check host/port length when parsing syslog.conf(5). Avoids nasty error message "syslogd: priv_getaddrinfo: overflow attempt in hostname".
Set the default nfsd(8) flags to "-tun 4" when launched from rc.d(8).
Fixed memory leak in isakmpd(8) ike_phase_1.c.
Fixed acpi(4) sensor status for docking/undocking laptops, to allow sensorsd(8) to correctly detects state changes.
Bugfix to make whatis(1) case-insensitive again.
Added Last-Modified: HTTP header to httpd(8).
Allow syslogd(8) to send and receive udp(4) syslog packets on the IPv6 socket.
Unbroke sysmerge(8) when "SRCDIR=."
Limited the mandoc(1) CGI process execution time, to make REDoS attacks less effective.
Stopped mandoc(1) suppressing white space after .Fl if the next node is a text node on the same input line.
Made rcctl(8) "status" output match rc.conf(8) format.
Changed the output of arp(8) to match what ndp(8) does; include the expire timer.
After nfe(4) allocates an mbuf and cluster, properly init the length fields.
Implemented rxrinfo ioctl in ix(4) for cluster usage statistics.
Call audio_{pint,rint}() call-backs with the mutex held.
When doing "whole disk" installs on macppc, blank the first 1 meg of the disk. Allows successful creation of boot partition.
Unlinked the crypto(4) pseudo device (disabled by default for about 4 years).
Made sure eap(4) releases CPU mutexes upon receiving an EINVAL message.
On i386/amd64, backported support for the "rdtscp" instruction from binutils-2.17.
Removed the custom jumbo allocator from nfe(4) which was never enabled.
When sshd(8) is dumping the server configuration, made it print correct KEX, MAC and cipher defaults.
Introduced rcctl(8), a simple utility for maintaining rc.conf.local(8).
When a local route(4) entry is added for an ifa having a broadcast address, made it identifiable (by a flag) and persistent.
Ensure state changes are properly serialised in pms(4). makes enabling/disabling touchpads more reliable.
Missing stack var initialisation fixed in ld.so(1).
Added -4 and -6 flags to tcpbench(1), to specify ipv4 or ipv6 respectively.
Fixed _exit codes in syslogd(8) privsep.c, which were the wrong way around.
Fixed read access to uninitialised memory in mandoc(1).
Removed malloc(3) lock across some mmap(2) syscall(9). Speeds up multithreaded programs.
Added fancy printing of ktrace(1)'s ops argument to kdump(1).
Made kdump(1) display symbolically the mode argument of mkdir(1), mkfifo(1), mknod(2) and umask(2).
/etc/netstart now executed using sh(1) instead of sourcing it.
Repaired operation of sysctl(8) kern.arandom.
Removed support for public key operations from ubsec(4) and safe(4).
lofn(4) and nofn(4) removed as obsolete, due to reliance on the crypto(4) interface.
Switched to using O_CLOEXEC wherever we open a file and then call fcntl(F_SETFD, FD_CLOEXEC) on it. Reduces system calls and improves thread-safety for libraries.
More fixes in the attach failure path for ze(4/vax).
Added bounce matching for [] and {} to mg(1).
Synced relayd(8) and httpd(8) with RFC 7230-7235 phrases and IANA registered status codes.
In oce(4), implemented rxrinfo ioctl for cluster usage statistics.
systat(1) now only show active pools by default, pressing "A" shows all pools.
Updated drm(4) to libdrm 2.4.56.
Began cleanup of scaling units in roff(7).
Some X(7) resource files moved to /usr/X11R6/share/X11/app-defaults.
With a non-existent httpd(8) root, removed root prefix from PATH_INFO (useful for virtual FastCGI scripts inside a chroot(8)).
Made sure tftpd(8) always calls freeaddrinfo(3) after getaddrinfo(3).
In httpd(8), provided a failsafe version of the path_info() function.
Correctly set the rtable ID of the packet header when sending pppoe(4) Active Discovery Terminate packets.
Brought pflow(4) IPFIX sequence numbers in line with the RFC.
Sync pf.conf(5) behaviour with the man page regarding parent anchors for "once" rules.
On mips64, stopped uvm_map(9) from receiving addresses outside userland bounds.
Fixed tmux(1) copy mode problems: in vi mode, include the last character if you moved the cursor up or left; in emacs mode include the last character if you moved the cursor left.
Added tmux(1) flags to selectp, to enable and disable input to a pane.
In ksh(1), separately set FD_CLOEXEC if the new fd was >= FDBASE. Affects scripts that directly use 9 of the first 10 file descriptors.
When dhclient(8) is parsing 32 bit values, verify that we received 4 bytes.
Validate len field in dhcpd(8) for proper length, not just "not zero."
Brought back r1.131 of sys/kern/subr_pool.c: take the pools mutex when copying stats out of it in the sysctl(8) path.
Put back the checks about RTF_LOCAL routes now that userland tools are aware of them.
Stopped arp(4) and ndp(8) from trying to delete RTF_LOCAL entries.
Fixed unchecked memory allocation (and potential leak upon error) in ssl(8) ssl3_get_cert_verify().
Provided ssl3_get_cipher_by_id() function that allows ssl(8) ciphers to be looked up by their ID.
Always write core file of a non-suid process into pwd(1), even if sysctl(8) kern.nosuidcoredump is 2 or 3.
Fixed race in relayd(8) that caused non-persistent PUT connections with a short body to hang.
Removed disabled (weakened export and non-ephemeral DH) cipher suites from the ssl(8) cipher list.
If pkg_create(1) is run as non-root, restore correct group/owner to root/bin, and remove write permissions without explicit modes.
Fixed kqueue read/write filters for msdosfs and fuse(4) filesystems.
Fixed the length check for reinjected icmp(4) packets. Stops divert(4) discarding valid packets shorter than 20 bytes.
Fixed readelf(1) "--debug-dump=frames-interp" output.
5.4 and 5.5 SECURITY FIXES: Backported security fixes from openssl 1.0.1i
A source code patch is available for 5.4 and 5.5.
Initial sysmerge(8) support for handling configuration files from packages.
Now that uhub(4) can deal with them, added support for non-root hubs.
Made uhub(4) correctly recognise Super Speed devices.
Allow httpd.conf(5) to include the "types" section anywhere in the configuration file.
Removed tmux(1) support for the continuously reporting "any" mouse mode (never worked properly, rarely used).
Backport from binutils-2.17 the correct i386/amd64 register->int assignments for CFI.
Allow httpd(8) to use a fastcgi target as the default index (eg index.php).
Fixed relayd(8) when using DNS over udp(4) so it continues to work after the first request.
radeon(4) fixes: only apply hdmi "bpc pll" flags when encoder mode is hdmi; fixed dithering on some panels; fixed lane/clock setup for dp 1.2 capable devices.
Brought mandoc(1) handling of defective prologues closer to groff.
Simplified man(7) validation in mandoc(1).
Fixed mandoc(1) floating point handling. Fixes the indentation of the readline(3) manual.
Allow httpd(8) to serve emtpy (0 bytes) files.
Improved mandoc(1) handling of next-line scope when it is broken by end of file.
Partial mandoc(1) implementation of .Bd -centred; various improvements related to .Ex and .Rv.
Made sure asynchronous commands do not race with synchronous ones in xhci(4).
Improved xhci(4) logic to determine the maximum endpoint service interface time payload.
Made xhci(4) always report stalls, as umass(4) relies on this information.
Added support for using "-" as shorthand for stdin/stdout in tradcpp(1).